<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: X-Frame-Options: SAMEORIGON in Adobe Experience Manager Questions</title>
    <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460844#M132923</link>
    <description>&lt;P&gt;the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;In our Managed Services deployment, this header is set by default:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.&lt;BR /&gt;See here for details of the x-frame-options header:&amp;nbsp;&lt;A href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" target="_blank"&gt;https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;From your question it sounds like you want to display the form within some other domain, so you may be better using newer &lt;STRONG&gt;content-security-policy&lt;/STRONG&gt; header - this allows you to define a list of domains which are allowed to iframe your content.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;A href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors" target="_blank"&gt;https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;An example from our config:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;Header unset X-Frame-Options&lt;BR /&gt;Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"&lt;/PRE&gt;&lt;P&gt;We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is set in the publish.vhost file - more context of the config file:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;&amp;lt;VirtualHost *:80&amp;gt;&lt;BR /&gt;   ServerName publish&lt;BR /&gt;   ## Put names of which domains are used for your published site/content here&lt;BR /&gt;   ServerAlias    ${PUBLISH_DEFAULT_HOSTNAME} &lt;BR /&gt;   ServerAlias    ${PUBLISH_ASSETS_HOSTNAME}&lt;BR /&gt;   ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any&lt;BR /&gt;   DocumentRoot   ${PUBLISH_DOCROOT}&lt;BR /&gt;   &lt;BR /&gt;   Header Set myconfig true&lt;BR /&gt;   ## Add header breadcrumbs for help in troubleshooting&lt;BR /&gt;   &amp;lt;IfModule mod_headers.c&amp;gt;&lt;BR /&gt;         Header always add X-Dispatcher ${DISP_ID}&lt;BR /&gt;         Header always add X-Vhost "publish"&lt;BR /&gt;            Header unset X-Frame-Options&lt;BR /&gt;            Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"&lt;BR /&gt;         Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"&lt;BR /&gt;      #### Make sure proxies don't deliver the wrong content&lt;BR /&gt;      Header append Vary User-Agent env=!dont-vary&lt;BR /&gt;   &amp;lt;/IfModule&amp;gt;&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Wed, 13 Jul 2022 21:18:52 GMT</pubDate>
    <dc:creator>martin_ecx_io</dc:creator>
    <dc:date>2022-07-13T21:18:52Z</dc:date>
    <item>
      <title>X-Frame-Options: SAMEORIGON</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460842#M132922</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can someone please advise, where exactly where to add this&amp;nbsp;&lt;STRONG&gt;X-Frame-Options: SAMEORIGON&amp;nbsp;&lt;/STRONG&gt;for AEM application. We want an external application to access an Adaptive Form or AEM sites page that adaptive form. The external application will be accessing the content url via IFrame. So we want to provide this&lt;/P&gt;&lt;P&gt;X-Frame-options.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;But not sure how to add the line in the "publish-farm.any " or in any other file.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Please advise what is the syntax and which file to add this&amp;nbsp;&lt;STRONG&gt;X-Frame-Options&amp;nbsp;&lt;/STRONG&gt;for AEM applications.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thank you&lt;/P&gt;&lt;P&gt;Eshwari&lt;/P&gt;</description>
      <pubDate>Wed, 13 Jul 2022 21:02:34 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460842#M132922</guid>
      <dc:creator>Eshwarign</dc:creator>
      <dc:date>2022-07-13T21:02:34Z</dc:date>
    </item>
    <item>
      <title>Re: X-Frame-Options: SAMEORIGON</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460844#M132923</link>
      <description>&lt;P&gt;the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;In our Managed Services deployment, this header is set by default:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.&lt;BR /&gt;See here for details of the x-frame-options header:&amp;nbsp;&lt;A href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" target="_blank"&gt;https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;From your question it sounds like you want to display the form within some other domain, so you may be better using newer &lt;STRONG&gt;content-security-policy&lt;/STRONG&gt; header - this allows you to define a list of domains which are allowed to iframe your content.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;A href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors" target="_blank"&gt;https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;An example from our config:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;Header unset X-Frame-Options&lt;BR /&gt;Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"&lt;/PRE&gt;&lt;P&gt;We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is set in the publish.vhost file - more context of the config file:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;&amp;lt;VirtualHost *:80&amp;gt;&lt;BR /&gt;   ServerName publish&lt;BR /&gt;   ## Put names of which domains are used for your published site/content here&lt;BR /&gt;   ServerAlias    ${PUBLISH_DEFAULT_HOSTNAME} &lt;BR /&gt;   ServerAlias    ${PUBLISH_ASSETS_HOSTNAME}&lt;BR /&gt;   ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any&lt;BR /&gt;   DocumentRoot   ${PUBLISH_DOCROOT}&lt;BR /&gt;   &lt;BR /&gt;   Header Set myconfig true&lt;BR /&gt;   ## Add header breadcrumbs for help in troubleshooting&lt;BR /&gt;   &amp;lt;IfModule mod_headers.c&amp;gt;&lt;BR /&gt;         Header always add X-Dispatcher ${DISP_ID}&lt;BR /&gt;         Header always add X-Vhost "publish"&lt;BR /&gt;            Header unset X-Frame-Options&lt;BR /&gt;            Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"&lt;BR /&gt;         Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"&lt;BR /&gt;      #### Make sure proxies don't deliver the wrong content&lt;BR /&gt;      Header append Vary User-Agent env=!dont-vary&lt;BR /&gt;   &amp;lt;/IfModule&amp;gt;&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 13 Jul 2022 21:18:52 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460844#M132923</guid>
      <dc:creator>martin_ecx_io</dc:creator>
      <dc:date>2022-07-13T21:18:52Z</dc:date>
    </item>
    <item>
      <title>Re: X-Frame-Options: SAMEORIGON</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460845#M132924</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;LI-USER uid="17421608"&gt;&lt;/LI-USER&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;As I understood,&amp;nbsp;&lt;SPAN&gt;In Apache you have security.conf file in a conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;&lt;SPAN&gt;Uncomment this setting and restart your Apache server.&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;Copy and paste this setting in apache.conf file, uncomment it and restart your Apache server.&lt;BR /&gt;&lt;/SPAN&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;PRE&gt;&amp;lt;IfModule mod_headers.c&amp;gt;
         Header merge X-Frame-Options SAMEORIGIN
        "expr=%{resp:X-Frame Options}!='SAMEORIGIN'"
&amp;lt;/IfModule&amp;gt;&lt;/PRE&gt;&lt;P&gt;&lt;SPAN&gt;Reference:&amp;nbsp;&lt;A href="https://www.aemrules.com/2020/04/aem-security-headers.html?m=1" target="_blank" rel="noopener"&gt;https://www.aemrules.com/2020/04/aem-security-headers.html?m=1&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Hope that helps!&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Regards,&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Santosh&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 13 Jul 2022 21:22:01 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460845#M132924</guid>
      <dc:creator>SantoshSai</dc:creator>
      <dc:date>2022-07-13T21:22:01Z</dc:date>
    </item>
    <item>
      <title>Re: X-Frame-Options: SAMEORIGON</title>
      <link>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460890#M132933</link>
      <description>&lt;P&gt;x-frame-options header needs to be set in&amp;nbsp;domain or publish vhost file. In your "domain.vhost" file, add&amp;nbsp;Header merge X-Frame-Options SAMEORIGIN&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Below is the example of vhost file with syntax:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;&amp;lt;VirtualHost *:80&amp;gt;
ServerName "publish"
## Put names of which domains are used for your published site/content here
ServerAlias www.yourdomain.com publish-p&amp;lt;pid&amp;gt;-e&amp;lt;envid&amp;gt;.adobeaemcloud.com publish-p&amp;lt;pid&amp;gt;-e&amp;lt;envid&amp;gt;.adobeaemcloud.net

## Use a document root that matches the one in conf.dispatcher.d/default.farm
DocumentRoot "${DOCROOT}"
## Add header breadcrumbs for help in troubleshooting
&amp;lt;IfModule mod_headers.c&amp;gt;
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
&amp;lt;/IfModule&amp;gt;
&amp;lt;/VirtualHost&amp;gt;&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks,&lt;/P&gt;&lt;P&gt;Heena&lt;/P&gt;</description>
      <pubDate>Thu, 14 Jul 2022 06:55:54 GMT</pubDate>
      <guid>https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/x-frame-options-sameorigon/m-p/460890#M132933</guid>
      <dc:creator>HeenaMadan</dc:creator>
      <dc:date>2022-07-14T06:55:54Z</dc:date>
    </item>
  </channel>
</rss>

